Application layer attack or abbreviated as L7 DDoS attack is a kind of malicious behavior mapped out to focus on the “top” layer in the OSI model where common internet requests such as HTTP GET and HTTP POST occur. Layer 7 attacks, as opposed to network layer attacks like DNS Amplification, are particularly effective thanks to their consumption of server resources additionally to network resources.
How do Application-layer Attacks Work?
The underlying effectiveness of most DDoS attacks emerges from the discrepancy between the number of resources it takes to launch an attack relative to the number of resources it takes to absorb or mitigate one. While this is often still the case with L7 attacks, the efficiency of affecting both the targeted server and therefore the network requires less total bandwidth to realize an equivalent disruptive effect; an application layer attack generates more damage with sizeable total bandwidth.
To explore why this is often the case, let’s take a glance at the difference in relative resource consumption between a client making an invitation and a server responding to the request.
When a user sends an invitation logging into a web account like a Gmail account, the quantity of knowledge and resources the user’s computer must utilize are minimal and are out of proportion to the number of resources used in the process of checking login credentials, loading the relevant user data from a database, and then sending back a response containing the requested webpage.
Even within the absence of a login, repeatedly a server receiving an invitation from a client must make database queries or other API calls so as to supply a webpage. When this disparity is magnified as a result of many devices targeting one web property like during a botnet attack, the effect can overwhelm the targeted server, resulting in denial-of-service to legitimate traffic. In many cases simply targeting an API with a L7 attack is enough to require the service offline.
Why is it Difficult to Prevent Application-layer DDoS Attacks?
Differentiating between malicious traffic and legitimate traffic is difficult, especially within the case of an application layer attack like a botnet performing an HTTP Flood attack against a victim’s server. Because each bot during a botnet makes seemingly legitimate network requests the traffic isn’t caricatured and should appear “normal” in origin.
Application layer attacks require an adaptive strategy including the power to limit traffic supported particular sets of rules, which can fluctuate regularly. Tools like a properly configured WAF can mitigate the quantity of bogus traffic that’s passed on to an origin server, greatly diminishing the impact of the DDoS attempt.
While other attacks such as SYN floods, slowLoris, Ping of death, or reflection attacks such as NTP amplification, strategies can be used to let fall the traffic fairly efficiently provided the network itself has the bandwidth to receive them. Regrettably, most networks cannot receive a 300Gbps amplification attack, and even fewer networks can properly route and serve the quantity of application layer requests an L7 attack can generate.
What Tactics Help Mitigate Application-layer Attacks?
One method is to implement a challenge to the device making the network request so as to check whether or not it’s a bot. This is done through a test very similar to the CAPTCHA test commonly found when creating an account online. By sending out a requirement such as a JavaScript computational challenge, many attacks can be detected and mitigated.
Other avenues for stopping HTTP floods include the utilization of an web application firewall, managing and filtering traffic through an IP reputation database, and thru on-the-fly network analysis by engineers.